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© Computer network for real time control with automatic fault identification and by-pass. 



© A computer network for real time control having 
redundant components for automated fault identifica- 
tion and automated bypass of identified faulty com- 
ponents. The system includes at least two main 
computers, each coupled to at least two independent 
parallel data channels. A plurality of satellite com- 
puter pairs are connected to these channels, each 
pair receiving information from a plurality of I/O 
racks which are connected to redundant sensors for 
detecting information and to redundant actuators for 
implementing system control. The main computers 
are continuously crosslinked and perform evaluation 
of their respective input and output streams compar- 
ing these streams for consistency between the main 
CJ computers. In the event that an inconsistency is 
^detected in the data streams, the system checks for 
00 faulty components to determine the origin of the 
O inconsistency. The system utilizes an evaluation 
method whereby each main computer independently 
0> accesses each of the parallel data channels, satellite 
0> computers, I/O racks, sensors and actuators to lo- 
"cate inconsistencies in the data stream. The system 
Othen allows for operation with one of the redundant 
^components while the identified defective redundant 
qj component is repaired or replaced. 




Xerox Copy Centre 



1 



EP 0 399 308 A2 



2 



COMPUTER NETWORK FOR REAL TIME CONTROL WITH AUTOMATIC FAULT IDENTIFICATION AND BY 

PASS 



BACKGROUND OF THE INVENTION 



The present invention relates to a computer 
system for performing real time control which has 
means for identifying faulty components within the 
computer network. More particularly, the present 
invention relates to such systems wherein a num- 
ber of redundant information or data paths are 
provided to allow for accurate fault identification 
and to accommodate bypassing faulty components. 

Computer systems are commonly utilized to 
control a wide variety of machinery, performing a 
wide variety of numerous complex tasks, processes 
or operations. In order for a computer system to 
properly accomplish a desired control function, it 
must rely upon a network to provide the necessary 
data to perform its controlling function. The network 
will most commonly consist of a number of sensors 
for detecting any of the variety of inputs, status or 
the like and any number of data busses or inter- 
faces for communicating the sensed information to 
the computer system. 

Control information is commonly sent back 
through the network in response to the sensed 
information for maintaining proper control of the 
desired operation. With a complex series of sen- 
sors, networks, busses, inputs/outputs and transfer- 
ring devices, a failure can often arise in such a 
complex network. Therefore, provisions have to be 
made to account for errors or failures within the 
computer system or the information network. Fail- 
ures must not only be detected and evaluated, but 
if possible, provisions must be made to circumvent 
errors or equipment failures in order to allow the 
system to perform its intended function with the 
remainder of the network and system in place. 

SUMMARY OF THE INVENTION 



It is an object of the present invention to pro- 
vide a computer network capable of detecting and 
analyzing failures and to perform real time control 
despite the occurrence of such failures. 

It is another object of the invention to provide a 
computer control system operating with a data car- 
rying network which is capable of detecting failures 
within the network, double checking the existence 
of such failures and rerouting data or information 
through the network to circumvent failed portions. 

These and further objects are accomplished by 
the present invention through the provision of a 



computer system and data transmittal network hav- 
ing redundancy, including two identical main com- 
puters each having independent interfaces to re- 
dundant data transmission pathways, two identical 

5 satellite computers having redundant interfaces to 
redundant data pathways and having redundant 
input/outputs for redundantly detecting and cross 
checking data, wherein the inputs and outputs of 
each satellite computer are compared to the inputs 

to and outputs of the redundant identical satellite 
computer and both main computers independently 
compare the input/output data of each satellite 
computer at each redundant input and output sen- 
sor to check for correspondence. 

75 

BRIEF DESCRIPTION OF THE FIGURES 



20 Figure 1 is a schematic block diagram of the 

overall operating configuration of a two computer 
embodiment of the present invention. 

DETAILED DESCRIPTION OF AN EXEMPLARY 
25 EMBODIMENT 



Figure 1 illustrates a redundant data network of 
the present invention utilized to perform real time 

30 control. Two parallel paths, designated A and B ( 
are provided linking main computers 10 and 12 
with sensor 24 and actuator 26. Main computer 10 
utilizes data path A as its primary path, and B as a 
secondary or alternative path. Main computer 12 

35 utilizes data path B as its primary path and path A 
as a secondary. The two identical main computers 
10 and 12 each have independent interfaces 101, 
102 and 121, 122. respectively. The primary inter- 
face 101 of computer 10, designated A, is con- 

40 nected to the first data highway 20 designated 
channel A. The primary interface 121 of computer 
12, designated B, is connected to the second data 
highway 22, designated channel B. Each main 
computer 10, 12 has a secondary interface 102, 

45 122 respectively which is connected to channel B 
or A respectively. 

Satellite computers 14 and 16 are also pro- 
vided. Each of the satellite computers has an A and 
B interface. 141, 142 and 161, 162, respectively, 

so attached to the A and B data highways 20 and 22. 
Each satellite computer is connected to each of 
two identical input/output racks 17 and 18. Rrst 
satellite computer 14 has rack interfaces 143 and 
144 designated A and B t respectively. Second sat- 
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ellite computer 16 has rack interfaces 163 and 164, 
designated A and B, respectively. 

These interfaces are interconnected to the first 
and second input/output (I/O) racks 17 and 18 as 
illustrated, with the A interfaces connected to I/O 
rack 17 and the B interfaces connected to I/O rack 
18. 

In the illustrated embodiment two main and two 
satellite computers are illustrated. In a computer 
network employing the. present invention there are 
typically two main computers as illustrated, how- 
ever, there are a number of satellite computer 
pairs. Each pair collecting data from sensors feed- 
ing those pairs through their I/O racks. Each sat- 
ellite pair controlling a portion of the system 
through actuators. Each pair can be located within 
a few feet or several thousand feet from the main 
computers depending upon the extent of the data 
highway network. 

As illustrated in Figure 1 t a sensor 24 and an 
actuator 26 are connected to the I/O racks 17 and 
18. The sensor 24 along with all the other sensors 
of the network (not illustrated) gather data informa- 
tion from the process or device being monitored 
and controlled and feed information to the I/O racks 

17 and 18. The actuator receives commands from 
I/O racks 17 and 18 and acts upon the device or 
system being controlled. 

Sensor 24 is provided with redundant trans- 
ducers 241 and 242 for supplying sensed informa- 
tion to I/O racks 17 and 18. Each transducer sup- 
plies information to both of the I/O racks. The I/O 
racks 17 and 18 are each provided with an input 
173, 183, respectively for receipt of the information 
from the sensor. 

The actuator 26 is provided with redundant 
transducers 261 and 262 which each receive com- 
mands from the output register 174 or 184 of one 
of the I/O rack 17 and 18, respectively. In this 
manner, the actuator 26 receives redundant com- 
mands, however, only one commands is supplied 
to each of the redundant transducers 261, 262 of 
the actuator 26. The actuator 26 acts upon the 
information only when the commands received by 
each of the transducers 261 and 262 are in agree- 
ment The command outputs from I/O racks 17 and 

18 are looped back from the transducers 261 or 
262, to the inputs 173 and 183, respectively, of the 
same I/O rack on lines 175 or 185, so that they can 
be monitored as any other input signal. Also, each 
I/O rack is provided with a means for generating a 
check bit which is also feed back along line 176 or 
186 into the input of the same I/O rack. This check 
bit is utilized to evaluate error checking in the 
event of signal discontinuity, as will be explained in 
greater detail later. 

In a normal mode of operation, both sides of a 
redundant system perform the identical control 



function by reading inputs from their respective 
sides of the sensor, performing the required logic 
calculations, and initiating commands. In this man- 
ner the first main A computer 10 works with the 

5 first satellite A computer 14 and the first I/O A rack 
17 to receive data from sensor 24 and to control 
actuator 26. Simultaneously, the second main B 
computer 12, second satellite B computer 16 and 
second I/O B rack 18 act to receive data from 

to sensor 24 and to control actuator 26 in parallel 
therewith. Each Ynain computer utilizes the respec- 
tive sets of interfaces and channels A, B respec- 
tively all the way down to the sensors and ac- 
tuators to perform the respective control function. 

/5 The present invention teaches a method that 

utilizes the configuration illustrated in Figure 1 to 
achieve fault redundant performance with automatic 
identification of the faulty component within the 
network or system. The network also achieves 

20 automatic bypassing of the faulty component by 
utilizing the parallel control channel with confi- 
dence. 

Main computers 10 and 12 are provided with 
cross-connected links 103 and 104 for continuous 

25 monitoring of the input data received by both main 
computers to check for agreement of this data. 
Because the loop back along signal lines 175 and 
185 of the output to activator 26 is provided as 
described above, the monitoring between main 

30 computers 10 and 12 can check both the input and 
output to the sensors and actuators, respectively, 
of both channels. 

An essential element in achieving fault redun- 
dant performance is the provision in each of the 

35 main computers 10 and 12 of software which pro- 
vides the following function. When a discrepancy is 
detected in any of the input data, both main com- 
puters 10 and 12 note the discrepancy (assuming 
both main computers are functioning properly). 

40 Main computer 10 if operating properly will under- 
take the initial corrective and diagnostic actions 
described below, with subsequent notification to 
second main computer 12. Main computer 12 will 
wait for a fixed predetermined amount of time to 

45 receive such notification. If notification is not re- 
ceived within that time period, then main computer 
12 will assume that main computer 10 is not func- 
tioning properly and therefore second main com- 
puter 12 will undertake the corrective actions de- 

50 scribed below. 

The following discussion refers to diagnostic 
and corrective action taken by first main computer 
10. If, as described above, second main computer 
12 is utilized then it will be understood that cor- 

55 responding components of the B channel would be 
utilized where A channel components are referen- 
ced. Upon detection of a discrepancy in the input 
or output data from the cross-connect link, main 
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computer 10 (or in the alternative second main 
computer 12) utilizes its own alternate interface 102 
to the B channel 22 to read directly the redundant 
data input on data highway B which would normally 
be channelled to second main computer 12. If, as a 
result of this cross-check, the data set on channel 
B coincides with the data set on channel A, then 
the second main computer 12 or its linkage to data 
highway 22, channel B, is presumed defective ei- 
ther in the linking mechanism or in the interface 
122. Communication to the other cross-connect link 
104, B, is utilized to determine if a fault is in the 
primary, A. cross-connected channel 103. In either 
situation, operation can continue with both channels 
being read by one of the main computers 10 or 12 
while the other main computer or the defective 
cross-connect link is serviced. 

If the data from the cross-connect channel in- 
dicates that a discrepancy is still present when 
main computer 10 is reading the data off of both 
channels A and B, then the problem is located 
either in the first main computer 10 itself or else- 
where within the system network. In order to deter- 
mine where the problem exists, the first main com- 
puter 10 requests the second main computer 12 to 
read the redundant set of input data on the A 
channel. Second main computer 12 reads this data 
through secondary interface 121 and compares it 
to the data read from channel B on interface 122. If 
the data sets coincide, then the system fault is in 
the first main computer 10. Second main computer 
12 will therefore be utilized to continue normal 
operation utilizing both channels A and B while first 
main computer 10 is serviced. 

If, however, upon evaluation by second main 
computer B the data sets continue to demonstrate 
a discrepancy, trouble shooting control is resumed 
as described below by first main computer 10. 

If, the cause of the discrepancy was not found 
through the procedure outlined above, main com- 
puter 10 begins a similar trouble shooting proce- 
dure that again utilizes the dual redundancy con- 
figuration to determine the location of the problem. 
However, in this error checking sequence, the next 
level of the system is evaluated, i.e.. the satellite 
computer level. To accomplish this, both main 
computers 10 and 12 utilize the same satellite 
computer, either first satellite computer 14 or sec- 
ond satellite computer 16 io collect the input data. 
The data thus received by each of the main com- 
puters 10 and 12 is compared. Then the other 
satellite computer is utilized. In this manner, the 
correct operation of each of the satellite computers 
14 and 16 can be determined. As detailed above, 
this procedure will determine which satellite is de- 
fective and operation can continue utilizing the oth- 
er satellite computer while the defective one is 
serviced. 



In a similar manner, the integrity of I/O racks 
17 and 18 can be evaluated, switching between 
racks and comparing data. The network functions 
can be maintained while identification of a faulty I/O 
5 rack is made, and service to that rack is performed. 
Through utilizing the procedure outlined above, 
and by applying this procedure to each level of the 
network, the systematic evaluation of network com- 
ponents can be accomplished throughout the entire 

io network until the cause of a data fault is deter- 
mined in any onte of the components of the net- 
work, including the main computers, interfaces to 
the data highway, the satellite computers, interface 
to the I/O racks, the I/O racks or the sensors or 

75 actuators. 

The check bit feature provided on each I/O 
rack connecting the output to the input of the same 
rack, is utilized at any time a comparison of input 
data changes from unsatisfactory to satisfactory. 

20 The redundancy check bit is utilized to insure that 
the newly obtained coincidence of input data does 
not reflect a common failure but instead reflects 
satisfactory data. 

For example, in a situation wherein both main 

25 computers 10 and 12 switch to obtaining their data 
through first satellite computer 14, during an error 
checking sequence described above, the data re- 
quires verification. If the data from each channel 
passed through satellite computer 14 coincides, it 

30 could be the result of a common mode failure 
within satellite computer 14 that effects both chan- 
nels A and B. In this case, the check bit on each 
I/O rack is toggled according to a randomly gen- 
erated sequence. The reception of an identical 

35 sequence on the respective input channel is an 
indication that the coincidence is not due to a 
common mode failure. 

It will be understood that the above description 
of the present invention is susceptible to various 

40 modifications, changes and adaptations, and the 
same are intended to be comprehended within the 
meaning and range of equivalents of the appended 
claims. 

45 

Claims 

1 . A computer system comprising: 
first and second main computers, each computer 
so having a primary data interface and a secondary 
data interface each interface for sending and re- 
ceiving system signals; 

a first data highway for conveying said system 
signals, connected to said primary interface of said 
55 first main computer and to said secondary interface 
of said second main computer; . 
a second data highway for conveying said system 
signals, connected to said primary interface of said 
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second main computer and to said secondary inter- 
face of said first main computer; 
first and second satellite computers for relaying 
said system signals, each connected to said first 
and second data highways; 

first and second I/O racks, each connected to said 
first and second satellite computers; 
a sensor pair for generating selected system sig- 
nals, connected to each of said I/O racks, and 
an actuator pair for reacting to selected system 
signals connected to each of said I/O racks. 

2. The computer system of claim 1, further 
comprising: 

means for comparing said system signals received 
by said first main computer with said system sig- 
nals received by said second main computer, and 
for detecting discrepancies between said signals. 

3. The computer system of Claim 1, said first 
main computer further comprising means for selec- 
tively monitoring either said primary interface or 
said secondary interface of said first main com- 
puter; 

said second main computer further comprising 
means for selectively monitoring either said pri- 
mary interface or said secondary interface of said 
second main computer. 

4. The computer system of Claim 3, further 
comprising 

means for comparing said system signals received 
by said first main computer with said system sig- 
nals received by said second main computer, and 
for detecting discrepancies between said signals; 
wherein 

said selection means are connected to said com- 
parison means for reacting to a detected discrep- 
ancy, configuring said first and second main com- 
puters for simultaneous monitoring of a common 
data highway. 

5. The computer system of Claim 1, further 
comprising: 

means for selectively enabling said first satellite 
computer to relay said system signals to said first 
and second data highways while selectively dis- 
abling said second satellite computer from relaying 
said system signals. 

6. The computer system of Claim 1, further 
comprising: 

means for selectively enabling said second satellite 
computer to relay said system signals to said first 
and second data highways while selectively dis- 
abling said first satellite computer from relaying 
said system signals. 

7. The computer system of Claim 1, further 
comprising: 

means for establishing a signal path between said 
sensor pair and said first and second satellite com- 
puters via said first I/O rack, while blocking a signal 
path between said sensor pair and said first and 



second satellite computers via said second I/O 
rack. 

8. The computer system of Claim 1, further 
comprising: 

5 means for establishing a signal path between said 
sensor pair and said first and second satellite com- 
puters via said second I/O rack, while blocking a 
signal path between said sensor pair and said first 
and second satellite computers via said first I/O 

io rack. 

9. A method for diagnosis of a computer sys- 
tem according to Claim 2, comprising the steps of: 
detecting discrepancies between said system sig- 
nals received by said first main computer and said 

75 system signals received by said second main com- 
puter; 

monitoring said primary data interface and said 
secondary data interface of said first main com- 
puter and comparing the system signals received 

20 thereon for consistency; 

utilizing said first satellite computer to relay said 
system signals between said first I/O rack and said 
first and second data highways; 
utilizing said first I/O rack to establish a data path 

25 between said sensor pair and said first and second 
satellite computers. 

Claim 10. A method for monitoring and control- 
ling sensors and actuators, comprising the steps of: 
providing first and second main computers; 

30 providing a first signal pathway divided into a plu- 
rality of discreet segments, between said main 
computers and said sensors and actuators; 
providing a second signal pathway redundant and 
parallel to said first signal pathway and having 

35 corresponding parallel segments; 

selectively monitoring and controlling said sensors 
and actuators with said first main computer through 
said first signal pathway; 

selectively monitoring and controlling said sensors 

40 and actuators with said second main computer 
through said second signal pathway; 
comparing said monitoring by said first computer 
with said monitoring by said second computer and 
generating a discrepancy signal in response to the 

45. detection a discrepancy between said monitorings 
during said comparison. 

Claim 11. A method according to Claim 10, 
wherein said step of selectively monitoring with 
said first computer includes the step of: 

so selectively bypassing at least one of said segments 
of said first signal pathway, wherein said corre- 
sponding parallel segment of said second signal 
pathway is substituted therefor. 

Claim 12. A method according to Claim 11, 

55 wherein said selective bypassing occurs in re- 
sponse to the generation of a discrepancy signal. 
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© A computer network for real time control having 
redundant components for automated fault identifica- 
tion and automated bypass of identified faulty com- 
ponents. The system includes at least two main 
computers, each coupled to at least two independent 
parallel data channels. A plurality of satellite com- 
puter pairs are connected to these channels, each 
pair receiving information from a plurality of I/O 
racks which are connected to redundant sensors for 
detecting information and to redundant actuators for 
implementing system control. The main computers 
are continuously cross linked and perform evalu- 
ation of their respective input and output streams 
comparing these streams for consistency between 
the main computers. In the event that an inconsis- 
tency is detected in the data streams, the system 
checks for faulty components to determine the origin 
of the inconsistency. The system utilizes an evalu- 
ation method whereby each main computer indepen- 
dently accesses each of the parallel data channels, 
satellite computers, I/O racks, sensors and actuators 
to locate inconsistencies in the data stream. The 
system then allows for operation with one of the 
redundant components while the identified defective 
redundant component is repaired or replaced. 
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